Enigma Virtual Box unpacker
There are plenty of changes.
- Properly detect versions 9.50..9.90
- Unpacks files packed with 9.80 and 9.90
- Added command-line parameter "/nodiskspace", as requested by some users. If it crashes during unpacking because it ran out of disk space, it's your problem.
- Unpacker properly handles invalid input filename
Molebox 2.x unpacker
- Support more versions of very old Molebox
- Unpacking files with digital signatures should be improved
- Some rare bugs have been fixed
Autoplay Media Studio unpacker
- Added support for AMS version 8.5.3.0.
- Support for Imagine MemoryEx encrypted files, as requested by someone.
What is MemoryEx?
MemoryEx is a plugin released by Imagine Programming, allowing for more advanced operations from within the Lua environment you will find in Autoplay Media Studio 8.
While it's not a very common plugin, there are several niche programs which use this plugin. For example, most programs from dindroid.com use it.
When you unpack such file, please pay attention to the "Found protected file" messages:
As you can see, unpacker created some .luac files.
Next, you will need to find a LUA decompiler and decompile these files. I suggest you try unluac, luadec or whichever LUA decompiler you prefer.
Decompiler should produce .lua file which contains all the interesting stuff. For example, part of G-Nerator code looks like this:
return { info = { name = "Anderson M Santos", author = "dindroid.com", contact = "andersonnsantos36@gmail.com" }, functions = { Install = function() function Stile_Sonbre_P() sHandl = Application.GetWndHandle() DLL.CallFunction(_SystemFolder .. "\\User32.dll", "SetClassLongA", sHandl .. ",-26," .. 131072, DLL_RETURN_TYPE_LONG, DLL_CALL_STDCALL) if Label.GetText("local") == "C:\\" then Label.SetText("local", _ProgramFilesFolder .. "\\Dindroid") end Image.Load("imico", _TempFolder .. "\\icon.tmp") Image.Load("imc", _TempFolder .. "\\bts_01.tmp") end function Install() Folder.Create(_ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator") File.Copy(_SourceFolder .. "\\Install\\*.*", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator", true, true, false, true, nil) sP = System.EnumerateProcesses() for j, file_path in pairs(sP) do file = String.SplitPath(file_path) if file.Filename .. file.Extension == "GNerator.exe" then File.Copy(file_path, _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\") end end Shell.CreateShortcut(String.Replace(_WindowsFolder, "Windows", "") .. "\\Users\\Public\\Desktop", "G-Nerator", _ProgramFilesFolder .. "\\Dindroid" .. "\\G-Nerator\\GN.exe", "", "", _ProgramFilesFolder .. "\\Dindroid\\G-Nerator\\GN.exe", 0, SW_SHOWNORMAL, nil, "") ....
That's all folks, have fun using it!
As always - if you notice any bugs, please report them. And most importantly - Happy New Year everybody! 🙂
Hello, i want to unpack an .exe file but none of these unpackers worked, whats the solution for my problem?
The file in question is this:
{hidden link}
Hi,
your file is packed first with Molebox 2.x and then Enigma Protector. There is no automatic unpacker for Enigma Protector.
If you manually unpack Enigma Protector, then my unpacker will be able to unpack Molebox and extract all the files.
Easier solution would be to use Virtual File System Editor by Extreme Coders. It will unpack all embedded files but not the main executable.
Hello kao , just want to ask about Virtual file System Editor - By Extreme coders. Is it the same method in your unpacker?
No, they are totally different.
Virtual File System Editor needs you to run the file and then extracts data files from process memory. Benefits - it can handle unknown protections or combinations of packers. Drawbacks - it can't unpack main file and it's not safe to use on malicious files.
All my unpackers are static - they never run the file. So, they are safer to use but can only extract files from known protections. They can also extract main file and bundled registry keys.
Thank you for your hard work as always. Happy 2022!
Great, after upgrading the latest version of enigma 0.59, the exe that could not be unpacked before can finally be unpacked, I hope it gets better and better!
You're welcome! 🙂
Hey Kao! Nice to see you still updating Enigma VB Unpacker, i got a file which DIE said it's Enigma VB, but can't unpack it with your tools.. do you think it's a different protector? If you could tell me a way to get it i would be so glad, thanks.
Here is the file: {hidden link}
This is for fixing my mail, misspelled it, sorry.
As it happens quite often, DIE is wrong. 🙂 Your file is protected with Themida.
EDIT: possibly Themida in combination with Enigma Protector. In either case, it's not Enigma VirtualBox.
Would you guide me in the right way to unpack it out? Thanks!
As far as I know, there are no automatic tools or scripts for x64 Themida and Enigma. You would have to make your own.
I don't have such tools either, so there is not much I can help you with.
Plus, the file is .NET (csharp), so.. we don't need to use any script at all, don't we? Just trying to dump it.
Nice work on these tools. I think this is the first LH tool I've seen.
Just a remark; you forgot to unpack the assemblies in the LH file.
Hi,
it's rare to see a protection author to visit my blog. Welcome! 🙂
I did not unpack embedded assemblies because I was unaware of such feature. I'll happily update the unpacker - just need to find some example file first..
Hi 🙂 MemoryEx can load LH modules compiled with IMXLH, they are designed for modularity and less about protection. The "protection" is more obfuscation and a bonus, but the intended purpose was deploying modules of code that include a lot of MemoryEx features (FFI, OS interfacing, structure definitions etc).
I also do occasional malware/sample analysis and for that purpose I also wrote an unpacker that unpacks AMS8 binaries back to .autoplay project files, therefore I am interested in such tooling. I'm currently also in the process of writing a vastly featured lua disassembler (luadis) that can output information about compiled Lua chunks with some static analysis.
I'm obviously not going to give away the exact format of LH files, however an LH module consists of a Lua chunk (which you have found), none or many assembled pieces of machine code (x86, relocatable) and a verification section that prevents the default MemoryEx build from loading a file in certain situations. You can generate samples yourself if you install the free version of IMXLH, here's some source code of LH modules with machine code routines: {hidden link}
It would be cool if you'd pitch me an email if you have a version that works on the assemblies too.
Seems like EVBunpacker unable to extract new images from the game credited by RPG MZ. Just like
%\www\img\pictures\1アイリン普通3.png` failed, probably corrupted executable!
[+] File "C:\Users\Justi\Desktop\テイルver0.6\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png", size=0x6D8C
[x] Extraction of file `C:\Users\Justi\Desktop\テイルver0.6\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png` failed, probably corrupted executable!
This pack is related to RPG MZ and image formats in that could include encrypted format like ".rpgmvp" ".png_" or just simple ".png"
I'm frustrating and I don't know why .png can't be extracted. Maybe the actual formats of those images is ".png_" and the "_" is undetectable in common extractor. None of the images in this game pack could be extracted.
Here is the link of the game
{hidden link}
Hi CHANS,
it's working fine for me, no errors:
[+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通.png", size=0x6C57
[+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通2.png", size=0x6C5C
[+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン普通3.png", size=0x6DBC
[+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ.png", size=0x6D8C
[+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ2.png", size=0x6D0A
[+] File "F:\%DEFAULT FOLDER%\www\img\pictures\1アイリン照れ笑.png", size=0x6BF7
I'd still love to fix the issue if possible.
Could you please try this test version of unpacker and tell me what error message you get?
I would expect something like these:
[x] ForceDirectories F:\%DEFAULT FOLDER%\ failed!
or
[x] Problem on line 3, message Cannot create file "F:\%DEFAULT FOLDER%\notification_helper.exe". Access is denied
Once we know why it's failing for you, I'll try to figure out the proper fix.
I found that errors only occur in extracting on desktop but work fine on D: and E:
When extract the game on desktop:
[x] Problem on line 3, message `Cannot create file "C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ハニービー.png". Access Denial.`
[x] Extraction of file `C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ハニービー.png` failed, probably corrupted executable!
[+] File "C:\Users\Justi\Desktop\%DEFAULT FOLDER%\www\img\characters\ヒュプノ.png", size=0x51E9
I was trying to break a AMS exe and I got to this point.
For LH files that are inside the .exe (packed) what can I do? I know the name of the LH file and the function call, can I get the code of that function somehow?
I can run live lua code in that AMS .exe THEN do you think there is a way after loading the LH file to download it as txt or a similar option to get it?
I find your blog very interesting, because of the way you explain it. keep it up
If you know name of the file, you can use Virtual File System Editor by Extreme Coders to extract the file from the running process.
what if you don't know the name of the files? extension only
Depends which file virtualization solution was used and with what settings. If you could send me a link to your file, I'll try to find time and take a look.
Thank you for creating such a wonderful Enigma unpacker. While it does work on some enigma VirtualBox protected files, it does not on some. A file has two sections .enigma1 and .enigma2 but when trying to unpack I am provided with this:
```
EnigmaVBUnpacker v0.59, compiled on 29-12-2021 20:57
Supports Enigma Virtual Box v4.10..9.90
Latest version always on {hidden link}
[+] Filename: DorkR_PTO\DorkR_PTO.exe
[+] MD5: c6b2d994e408787aafa43f75ed7529bc
[+] x64 executable
[x] Expected section name ".enigma2", found ".rsrc"
[x] This file is not protected with Enigma Virtual Box or is hacked.
```
I have uploaded an image of enigma VBUnpacker + EXEInfo side by side: {hidden link}
If you want to look at this file that would be great. Download is available here: {hidden link}
Thank you!
In your case, your file is protected with Enigma Protector, which is a totally different software and is not supported by my unpacker.
of course here you go, as detailed as I can be
{hidden link}
Have you had time to check the link? I got stuck there
I'm sorry, I don't have much free time lately.
From the quick look, you can place your own lua5.1.dll next to the EXE file, make it read-only and then Winlicence will not replace it.
Hope that helps.
Thanks for replying, but in fact I tried it and it doesn't work, it says it could not load the lua5.1.dll file. it doesn't replace it but it doesn't load it either.
can you get the name by causing an error in the plugin when calling it? I can't think of any other option
Enigma unpacker said that the dll I gave it is protected by Enigma protector and not enigma virtual machine...
And your question is?
I've successfully used Enigma unpacker 0.56 with an older version of Wine before, but now it's not working. I tried Enigma unpacker 0.59 and 0.56.
After selecting an exe and clicking "Unpack" Enigma unpacker crashes as soon as it says "[i] Loading large file, it might take some time..."
The exe I tried to extract is 1.3 GB so I tried a smaller one that worked before but the same thing happens.
{hidden link}
Hi Guy, I'm not sure you entered a real email address, so I'll answer here. If you're interested in a longer discussion, please feel free to email me.
Based on the log you provided, this is the problematic code:
If you would like to try, here is a test program that tries to create a temp file. I'm guessing it will fail on your system, even though in my Ubuntu it works just fine:

I will try to improve my GUI, so that the error message is actually visible. However, I can't fix Fedora/Wine issues, they are beyond my control.
Gave that a try, and it worked.
```
$ wine test_tempfile.exe
002c:fixme:winediag:LdrInitializeThunk wine-staging 7.12 is a testing version containing experimental patches.
002c:fixme:winediag:LdrInitializeThunk Please mention your exact version when filing bug reports on winehq.org.
Creating temp file C:\users\user\Temp\EVBa432.tmp
All OK
Press ENTER to close
```
I gave Enigma unpacker a go again with the exe I tried earlier and it worked this time. Nothing Wine related changed since I first posted, so I have no idea what happened. Very strange!
Thanks for your response.
I'm glad it works now, and I'm sorry we still don't know why it failed few days ago.
I am trying to unpack an x64 exe that I suspect is packed with VirtualBox. When I try to unpack the exe, I get the following output:
[+] x64 executable
[x] Expected section name ".enigma2", found ".rsrc"
[x] This file is not protected with Enigma Virtual Box or is hacked.
And if I scan the exe with DiE it shows .enigma1 and .enigma2 sections which can be seen here:
exe is here: {hidden link}
Thank you!
Hi there,
your file is protected with Enigma Protector - a different software from the same author. Enigma Protector is not supported by my unpacker and I have no plans to change that.
Hello,
Whats is the .NET Framework Target for your AMSUnpacker v0.4.1.36034 ?
Installed .NET Framework versions:
· Microsoft .NET Framework v3.5 SP1
· Microsoft .NET Framework v4.0.3
It is not working on Windows XP SP3.
.NET Runtime Error:
Application: AMSUnpacker.exe
Framework Version: v4.0.30319
Description: The process was terminated due to an unhandled exception.
Exception Info: System.Threading.SynchronizationLockException
Stack:
Thanks in advanced.
Hi, my unpacker needs .NET framework 4.7.2, so there is no chance to run it on Windows XP.
Last version of unpacker that worked on WinXP was version v0.2:
https://mega.nz/file/w4gwhTxL#BoXgRQ2hiMAwSdAzulLnATlkda3ywvex7Ocv1j1Spp8
Hello, this file can't be decrypted. Please help me. There are many game characters and scenes in it. Thank you for decrypting the largest file
download:
{hidden link}
I works just fine for me, as you can see in the screenshot.

If you can provide me with more information about your system and what exactly you did, I can try to reproduce the issue. Otherwise there's nothing I can do to help.
Please put all the decrypted MUGENGERS The Orochi's Origin files in mediafire or drive.google, thank you~
No, thank you.
If you are having problems with my unpacker, please describe them in details and I'll do my best to fix the bug in unpacker. But this is not an unpacking service.
It can't be solved at all. The same version 0.59 is used, but the prompt
[+] Filename: C:\game- 02\MUGENGERS 4 - The Orochi's Origin.exe
[x] There is not enough space in working directory. Unpacking would most likely fail!
Make sure there is more than 50 GB of space to be released
So please upload to mediafire Thank you
I know, reading the actual blog post is really hard.
Here, I highlighted the important part for you.
But the hard disk has a lot of space. Can't you upload it to mediafire ?
I will not be uploading any unpacked files. Please stop asking.
If you want me to look at your problem and improve my unpacker, please run MSINFO32 tool, generate the report and send it to me. Then I'll have the information I need to look at your problem.
Here are few tutorials on how you can do that:
Try to unpack a game for cheating, but it has some trouble with some '.js' files in plugin. Their size=0x0 and it finally become a full copy as the boxed .exe with the name of .js files. When I just change it into .exe, then it can be open as a full boxed game. I wonder how it happen and how to solve it? Thanks for your hardworking and this convenient tool!
Here is the box game file,I just need some time to upload it, which I just have trouble in unpacking.
Download:{hidden link}
I tried to unpack a game for cheating, but it has some trouble with some '.js' files in plugin. Their size=0x0 and it finally become a full copy as the boxed .exe with the name of .js files. When I just change it into .exe, then it can be open as a full boxed game. I wonder how it happen and how to solve it? Thanks for your hardworking and this convenient tool.
I am currently on vacation until the new year, I'll try to look at it once I get back.
I know what the problem is and I know how to fix it. I'll release an updated version of unpacker when I'm back from vacation.
Merry Christmas!
Fixed version is available here: https://lifeinhex.com/updated-enigmavb-unpacker/
Hello, i want to unpack an .exe file but demolation unpacker isnt worked(its lookslike worked but i cant open application), whats the solution for my problem?
The file in question is this: {hidden link}
please help me 🙁 (Virustotal link :
{hidden link} )
Thank you for reporting this! It looks like a bug in my unpacker. I will do my best to fix it when I get some free time. 🙂
Could you please try this unpacked file and let me know whether it works for you? https://mega.nz/file/VxQhUJKJ#9UIPi3cel_wr4LcKA4bl6YhIsMLpJLj0Wva4OFx9YLU
Now its working well ! Thank you so much ^^.
Could someone help me to release this main.exe
I'd like to extract information about this main, or even unpack it, as I'm new to the area, I don't have the necessary tools. Who can help me I would be very grateful
{hidden link}
Then you better start learning and obtaining the necessary tools and skills. 🙂 This is not a "please unpack my file" service where you can just upload anything and it will get automatically unpacked..
Hi kao, I have something to consult you about your demolition tool. Your vehicle cannot recognize this retro game file. I can't unsterdstand if it's a bug with this tool. If there is a solution to this, can you send a tutorial to my e-mail address? Thank you from now.
{hidden link}
Can you please upload it again?
Hey Kao,
I'm wondering if you can help me. I used your demoleition_v0.65 tool on an .exe and it managed to recover the files, however, the appear to be corrupted when extracted. Some of the files are .pngs etc and none of them are viewable. Could you take a look please if you have a spare moment? Thank you in advance!
Mega Link: {hidden link}
There is no problem with my unpacker.
Those files have extension PNG but in fact they are XYZ files. Please refer to the RPG Maker 2003 manual. 🙂
Firstly, thank you Kao for the quick response and for dedicating time to review my issue; your assistance is greatly appreciated. I hadn't initially considered the possibility that the files could be in the .xyz format. By performing a bulk extension change from .png to .xyz, I was able to successfully access the files. However, I'm still encountering a challenge with the RPG_RT.lmt and RPG_RT.ldb files. Nonetheless, I wanted to extend my thanks once more for your help!
Hi David, you're welcome! 🙂
As for those 2 files you mentioned, let me assure this is not a problem with my unpacker.
Somebody intentionally changed first few bytes of the data files.
MapXXXX.lmu should begin with a string "LcfMapUnit":
And this is what you have:
Similarly, RPG_RT.ldb should begin with a string LcfDataBase:
but you have:
And finally, RPG_RT.lmt should begin with a string "LcfMapTree":
but you have
You'll need to use a hex editor and undo those changes (or make a small tool, if you're a programmer).
Hey Kao,
I truly can't express my gratitude enough for dedicating your time to investigating my issue and offering a solution. To be honest, I didn't suspect an issue with your unpacker, given your evident competence in your field. My assumption was that any errors might have been on my part. I'll utilize a hex editor to implement the required changes, as I lack the proficiency to create a custom tool for this purpose. Nevertheless, thank you once more; your assistance is very much appreciated.
Hi please give me "Private exe Protector" Unpacker
Sorry, my magic wand is broken.
some exe cant be unpacked,the logs as below:
[-] File not found.
[i] Looking for external packages: D:\SUN2\unpack\Dat
[i] No matching files found
[i] Looking for external packages: \data1.wpk%D:\SUN2\unpack\\Data\Sound\3Dgio.dllD:\SUN2\unpack\\Data\data2.wpkD:\SUN2\unpack\
[-] File not found.
[i] Looking for external packages: D:\SUN2\unpack\
[i] No matching files found
[i] Looking for external packages: Data\data3.wpk噅B@ 霟♃䃦 @ S 䴀娸㡐朂Ђ༇'လň댊ᰁ먆Ἆ⇍롽䱧逊吐楨ݳ瀠潲㍧浡⟇익퍴敢ᅦ渏ڙ
[-] File not found.
[i] Looking for external packages: D:\SUN2\unpack\data3.wpk噅B@ 霟♃䃦 @ S 䴀娸㡐朂Ђ༇'လň댊ᰁ먆Ἆ⇍롽䱧逊吐楨ݳ瀠潲㍧浡⟇익퍴敢ᅦ渏ڙ
[i] No matching files found
[i] Original file had no TLS directory
[+] Unpacked main file: D:\SUN2\unpack\Sungame_unpacked.exe
[+] Finished!
To be able to help you, I need to see the packed file first.
Could you please upload the original package to MEGA/Mediafire/Workupload and post a link in the comments? Or send me the link via email (it's in the bottom of the page).
Thanks a lot,I am confused that there is no data3.wpk in the folder.It looks like the file name is garbled.
The file:
{hidden link}
Thank you, this looks like a bug in my unpacker and I will do my best to fix it.
hanks for your work.How is going now?
Hi, for personal reasons I will not be able to publish a new version of unpacker anytime soon.
However, here are your unpacked files. Hope this helps: https://mega.nz/file/ZpBWEILL#Zy9ylESLpMLK_-H7FwHUJtJMKh_t_iNHL-3S3R210r0
SUCH A DIFFICULT TASK
AMS unpacker v0.2, compiled on 20-08-2021.
Supports AutoPlay Media Studio v7.1..8.5.3.0 and Imagine MemoryEx Action Plugin.
Latest version always on {hidden link}
[i] Processing C:\Users\alumno\Desktop\DINDROID1\IAPack.exe
[x] Cannot find CDD file (`IAPack.cdd`), aborting. 🙁
[i] Finished unpacking, check C:\Users\alumno\Desktop\DINDROID1\IAPack_unpacked\ for unpacked files
[i] Searching for files protected with Imagine MemoryEx
[i] Search finished, did not find any protected files.
AMS unpacker v0.41, compiled on 13-08-2022.
Supports AutoPlay Media Studio v7.1 .. 8.5.3.0.
+ Imagine MemoryEx Action Plugin
+ Dindroid DCrypto Plugin v1.3, v1.4, v2.0
Latest version always on {hidden link}
[i] Processing C:\Users\alumno\Desktop\DINDROID1\IAPack.exe
[x] Cannot find CDD file (`IAPack.cdd`), aborting. 🙁
[i] Finished unpacking, check C:\Users\alumno\Desktop\DINDROID1\IAPack_unpacked\ for unpacked files
[i] Searching for files protected with Imagine MemoryEx
[i] Search finished, did not find any protected files.
[i] Searching for DCrypto reference
[x] Unpacked _proj.dat not found
[i] Searching for DCrypto2
[x] Unpacked _proj.dat not found
[i] Processing C:\Users\alumno\Desktop\DINDROID1\IAPack.exe
[x] Cannot find CDD file (`IAPack.cdd`), aborting. 🙁
[i] Finished unpacking, check C:\Users\alumno\Desktop\DINDROID1\IAPack_unpacked\ for unpacked files
[i] Searching for files protected with Imagine MemoryEx
[i] Search finished, did not find any protected files.
[i] Searching for DCrypto reference
[x] Unpacked _proj.dat not found
[i] Searching for DCrypto2
[x] Unpacked _proj.dat not found
this
{hidden link}
And your question is?
The unpacker itself works fine for me:
EnigmaVBUnpacker v0.62, compiled on 10-01-2024 21:17
Supports Enigma Virtual Box v4.10..10.60
Latest version always on https://lifeinhex.com
[+] Filename: F:\cugo\Capcom Universe.exe
[i] Loading large file, it might take some time...
[+] x64 executable
[+] Embedded files are not compressed
[+] EnigmaVB version: 9.90
[+] File "F:\cugo\%DEFAULT FOLDER%\data\action.zss", size=0x1242
[+] File "F:\cugo\%DEFAULT FOLDER%\data\big\readme.txt", size=0x1FB
...
[+] File "F:\cugo\%DEFAULT FOLDER%\chars\zero\zerolifebar.cns", size=0x537B
[+] File "F:\cugo\%DEFAULT FOLDER%\chars\zero\zerotag.cns", size=0x690A
[!] Warning: cannot fix PE Exception directory. Unpacked file may or may not work. Be careful!
[!] Found 0xFF47B bytes of overlay. Unpacked file may or may not work. Be careful!
[+] Unpacked main file: F:\cugo\Capcom Universe_unpacked.exe
[+] Finished!
How is the new version of unpacker? I am looking forward to it very much. Thanks for u work again!